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Abstract —Wireless covert channels promise to exfiltrate in¬ 
formation with high bandwidth by circumventing traditional 
access control mechanisms. Ideally, they are only accessible by 
the intended recipient and—for regular system users/operators— 
indistinguishable from normal operation. While a number of 
theoretical and simulation studies exist in literature, the practical 
aspects of WiFi covert channels are not well understood. Yet, it 
is particularly the practical design and implementation aspect 
of wireless systems that provides attackers with the latitude to 
establish covert channels: the ability to operate under adverse 
conditions and to tolerate a high amount of signal variations. 
Moreover, covert physical receivers do not have to be addressed 
within wireless frames, but can simply eavesdrop on the transmis¬ 
sion. In this work, we analyze the possibilities to establish covert 
channels in WiFi systems with emphasis on exploiting physical 
layer characteristics. We discuss design alternatives for selected 
covert channel approaches and study their feasibility in practice. 
By means of an extensive performance analysis, we compare the 
covert channel bandwidth. We further evaluate the possibility 
of revealing the introduced covert channels based on different 
detection capabilities. 

I. Introduction 

Wireless transmissions are broadly used, although properly 
securing them remains an issue. Typically, applications resort¬ 
ing to communications are protected by allowing information 
leakage only to authorized channels such as data transmission 
to permitted applications. Communication is often controlled 
by firewalls. However, potential adversaries might outsmart 
this protection and nevertheless leak information by setting 
up a covert channel; hidden within inconspicuous actions. For 
example, they could modify the application layer camouflaging 
text within an image on a shared storage, or they could alter 
the lower layers, e. g., within network protocols and timing. 

When hiding information on upper layers only a few 
variations such as using reserved bits or changing transmis¬ 
sion timings are possible; since a firewall would easily any 
other type of modification [23]. In contrast, physical wireless 
transmissions are not plain bits but symbols containing a 
high amount of noise and random signal variations. Snatching 
raw data out of the air results in a very large amount of 
data compared to upper layer capturing, still not revealing if 
the recording contained hidden information or not. Regular 
WiFi receivers are designed to reconstruct the signal despite 
variations, hence their performance does not significantly 
decrease when additional information is embedded. Due to 
the wireless broadcast nature, frames can contain oblivious 
sender and receiver addresses to not be suspicious to other 
network participants—and still be received by attackers. For 
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instance, an online banking application could establish a secure 
connection to a server but maliciously publish login data over 
a covert wireless physical channel. 

WiFi covert channels have been mostly studied in theory 
and simulation [10]. Practical evaluations are scarce due to 
the complexity of modifying existing network interface cards 
(NICs), the work of Dutta et al. [6] being an exception. 
We close this gap: in our work, we evaluate practical covert 
channels on the Wireless Open-Access Research Platform 
(WARP)[2] as well as off-the-shelf wireless NICs as legitimate 
receivers. Using WARP, we are able to utilize the same 
orthogonal frequency-division multiplexing (OFDM) modu¬ 
lation schemes as in 802.11a/g. Our covert channels can be 
easily adapted to OFDM-based wireless communication sys¬ 
tems such as LTE, DVB-T, and upcoming standards like LTE 
Advanced. We aim at remaining compatible with the 802.1 la/g 
standard and having little to no performance decrease on off- 
the-shelf receivers. Our contributions are as follows: 

1) We analyze the IEEE 802.1 la/g physical layer with 
respect to promising anchors for covert channels on 
frame level and symbol level. 

2) We propose, analyze, and practically implement two 
novel covert channels. We study the performance in 
simulation and practice. 

3) We analyze and improve two known covert channels; 
we practically implement them for the first time and 
study the performance in simulation and practice. 

4) We compare the performance of all four covert chan¬ 
nels and discuss practical limitations. 

This paper is structured as follows: We introduce concepts 
behind WiEi covert channels in Section II. System and security 
assumptions are defined in Section III. In Section IV, covert 
channels and their performance in practice are analyzed. Sec¬ 
tion V evaluates and discusses results. In Section VI we survey 
related work. Einally, we conclude our results in Section VII. 

II. Background 

In the following, we introduce the concept of covert 
channels and basic 802.1 la/g physical layer operation. 

A. Covert Channels 

A first definition of covert channels is given in [15] with 
a focus on information exchange between programs. Channels 
are categorized as: 

• legitimate: information required to manage the pro¬ 
gram, 

• storage: information provided to the program, how¬ 
ever, attackers might have access to it, and 

• covert: never intended for information exchange. 



The idea of covert channels is similar to that of steganography, 
where messages are hidden within ordinary objects. In case 
cryptography is forbidden within a network, covert channels 
can be used to hide encrypted communication. 

A covert channel consists of Alice, the sending attacker, 
who wants to communicate with Bob, the receiving attacker, 
while being observed by Wendy, a warden. Wendy’s legitimate 
goal is to detect if Alice and Bob exchanged information. In 
a wireless channel, positions of Alice, Bob, and Wendy are 
arbitrary—Wendy might be closer to Alice than Bob. Alice 
and Bob try to obscure the transmitted information to hinder 
Wendy from detection. Alice will typically send legitimate 
traffic to other stations and embed the covert channel. In 
contrast, communication between Alice and Bob is obvious 
in a cryptographic system and does not constitute an attack, 
but Eve wants to illegitimately decipher their communication. 

Covert channels are implementable with and without keys. 
Kerckhoff’s law from cryptography is applicable to informa¬ 
tion hiding: the system has to be secure when everything 
except the key is public. Given this criteria, hiding information 
by relying on an unknown embedding algorithm is insecure. A 
wireless covert channel based on a public algorithm but private 
key should be indistinguishable from noise. Covert channels 
are often combined with cryptography to make information 
look like noise or to add a further security measure. 

B. OFDM 

Physical layers of modern communication standards are 
based on orthogonal frequency-division multiplexing (OFDM). 
To efficiently use the available transmission bandwidth while 
still being able to correct channel distortions, the transmission 
band is divided into subcarriers (SCs). On each of these subcar¬ 
riers, symbols are transmitted by defining amplitude and phase 
of the subcarrier frequencies for the duration of each symbol 
Tsyn,. Limiting the length of each symbol leads to additional 
frequency components in the form of sine functions around 
each subcarrier. To avoid inter-carrier interference (ICI), the 
spacing A/ = l/Tsym ensures that each subcarrier is placed 
on the zero-crossings of the sine functions of all others, leading 
to orthogonality. During transmission, the signal suffers from 
frequency-selective phase and amplitude changes (fading), 
that can be corrected at the receiver. However, fading also 
implies a delay spread leading to the reception of multiple 
time delayed copies of the transmitted signal. To avoid inter¬ 
symbol interference (ISI), a guard interval is inserted between 
two symbols, normally containing a continuation called cyclic 
prefix (CP) of the symbol. 


C. IEEE 802.11a/g physical layer 

In the following, we take a closer look at the frame 
structure as well as at the OFDM-based transceiver blocks 
of 802.11a/g systems as illustrated in Figure 1. The presented 
components are also required for more advanced standards. 

For transmission, media access control (MAC) layer data 
bits are scrambled to avoid consecutive ones or zeros, encoded 
for bit error correction, and interleaved for distribution over 
multiple subcarriers. This bit stream is mapped to symbols 
describing amplitude and phase of their subcarrier. Depending 
on the modulation order (bits per symbol) and the coding rate, 
eight gross transfer rates between 6 and 54 Mbps are defined in 
the WiFi standard [20]. In Figure 2, we illustrate the achievable 
bit error rates (BERs) on a plain AWGN channel before and 
after coding. The used modulation scheme is documented in 
the signal field (SIG) that is always encoded with 6 Mbps. 

Using the Inverse Fast Fourier Transform (IFFT), subcarri¬ 
ers are modulated according to symbol definitions resulting in 
a time-domain signal in the baseband. Before upconversion 
to the transmission frequency, a preamble consisting of a 
short training field (STF) and a long training field (LTF) is 
prepended to every OFDM frame. A receiver needs the STF 
to adjust the gain of its low-noise amplifier (LNA), and the LTF 
to estimate and correct channel effects on each subcarrier. Due 
to frequency differences in /c,tx and /c,rx as well as frequency 
shifts due to the Doppler effect, carrier frequency offset (CFO) 
occurs, which breaks the orthogonality between subcarriers 
and hence requires correction. Coarse CFO correction makes 
use of the repetitive structure of either STF or LTF, while fine 
CFO correction uses pilot symbols that are transmitted on four 
subcarriers of the OFDM data symbols. 
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Fig. 2: BER baseline for WiFi frames before and after coding 
on an AWGN channel with varying SNR 






































































III. System Overview 

In this section, we introduce a security model for wireless 
covert channels and describe our measurement setup. 

A. Security Model 

To secure a system against covert channels, there are two 
main procedures; either detecting or blocking them. Blocking 
can be implemented by a wireless jammer [3], [21], though 
jamming all wireless transmissions including legitimate ones 
is not an option. Since there are no further processing steps 
between sending and receiving a signal, there is no possi¬ 
bility to filter signal variations for covert channel blocking. 
Detecting covert channels to take further actions such as 
jamming or sender identification does not prevent legitimate 
wireless transmissions. Sending attackers could be identified 
using localization methods or device fingerprinting; however, 
fingerprints can be modified [17], and localization requires 
multiple antennas. 

A covert channel should be secure against detection, even 
if the information hiding mechanism is known. Detection 
security limits the capacity of covert channels. Legitimate 
wireless transmissions containing a covert data have to be 
indistinguishable from regular transmissions. Yet, the overall 
wireless capacity is limited and a high capacity covert channel 
might noticeably reduce legitimate throughput. 

Layer 1 detection. On the physical layer, detection re¬ 
quires software defined radios (SDRs) or signal analyzers to 
capture the raw waveforms to measure error vector magnitudes 
(EVMs), CFOs, and SNRs. A detector could compare these 
measurements to a benchmark set of typical values in wireless 
transmissions, and check which of them deviate significantly 
from a certain margin of statistical tolerance. Hence, an 
attacker should aim at keeping variations with respect to 
the signal relatively low, and let them only be remarkable 
in case a secret key is known, thus following Kerckhoff’s 
principle; which is reducing the actual possible covert channel 
throughput. 

In this paper, we aim at showing the potential of practical 
and 802.1 la/g compliant covert channels. Providing an upper 
bound of performance, we do not implement statistical detec¬ 
tion countermeasures; however, we give some intuition into 
how they work in each channel covert description. 

Layer 2 detection. An upper layer detector is using off- 
the-shelf wireless NICs. Even though this is not sufficient 
equipment to record ongoing transmissions on the physi¬ 
cal layer, information passed to upper layers might indicate 
whether a covert channel is present. 

Frames are validated on reception using the frame check 
sequence (ECS) [20]. If it fails, the frame is dropped by 
default. Higher layers can only rely on irregularities in timing 
or throughput to detect covert channels. In our evaluation, 
we enable the capture of those frames having failed ECS 
checks using radiotap headers [1] to calculate actual BERs. 
Radiotap headers are supported by various chipsets and for¬ 
ward additional information, such as the transmission’s center 
frequency, RE signal and noise power at the antenna, and the 
ECS. Detectors can correlate all this information, for instance, 
an increase of packet loss despite a constant RE signal power. 
Still, radiotap headers do not provide the raw signal. Applying 
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(c) Panorama of the lab setup. 

Fig. 3: Antenna setup for practical measurements. 
Kerckhoff’s law, information passed to upper layers is often 
insufficient for detecting high throughput covert channels. 

B. Setup 

We analyze the performance of covert channels in simula¬ 
tion and practice using the following setups. 

1) Simulation: We evaluate if the proposed covert channels 
are feasible utilizing diverse channel models: A (no fading), B 
(residential), D (typical office), and E (large office) defined in 
[7] and commonly used for WiFi simulations. To each model, 
we add white Gaussian noise (AWGN) and base our results 
on 1000 Monte-Carlo simulations. 

2 ) Practical Setup: Since simulations might disregard the 
behavior of real hardware, we evaluate all covert channels 
in our lab environment (see Figure 3). This evaluation is 
twofold. We use WARPs to transmit and receive 802. llg 
frames between Alice and Bob with covert channels. On the 
receiver we can extract and analyze both, the WiFi frame 
content and the covert channel. Hence, the WARP receiver 
can be considered as detector (Wendy) on Layer 1 as well as 
on the covert channel receiver (Bob). The signal processing 
on both nodes is implemented in MATLAB which connects to 
the WARPs using WARPLab 7.5.0. 

To analyze the effect on off-the-shelf WiFi devices, we 
use a laptop as detector (Wendy) on Layer 2 with a Qualcom 
Atheros AR9285 Wireless Network Adapter (revision 01) that 
we run in monitor mode with radiotap headers. 

IV. Covert Channels 

In what follows, we present four practical covert channels 
for the physical layer of 802.1 la/g. 

1) A covert channel utilizing the Short Training Field in 
combination with Phase Shift Keying (STF PSK). 

2) A covert channel utilizing the Carrier Frequency 
Offset with Frequency Shift Keying (CFO FSK). 

3) A covert channel using 802.1 la/g with additional 
subcarriers conforming to the 802.1 In spectrum mask 
(Camouflage Subcarriers). 

4) A covert channel replacing parts of the OFDM Cyclic 
Prefix (Cyclic Prefix Replacement). 

The schemes “STF PSK” and “CFO FSK” are new, “Cam¬ 
ouflage Subcarriers” and “Cyclic Prefix Replacement” are 
extensions and improvements to [11] and [10], respectively. 
To the best of our knowledge, none of the approaches were 
put into practice before. 









A. Short Training Field with Phase Shift Keying (STF PSK) 

Each 802.11a/g frame starts with the same STF in the 
preamble, which is used for frame detection, automatic gain 
control (AGC), and coarse CFO estimation. STF manipulations 
must preserve these capabilities at the receiver, otherwise the 
signal can not be demodulated. Implementing a covert channel 
in the STF allows to insert one symbol per WiFi frame that is 
impossible to block even after detection. 

1) Implementation: The STF contains binary phase-shift 
keying (BPSK) symbols that are shifted by 45° as illustrated 
in Figure 4a. We insert our covert channel by introducing an 
additional phase shift Ac/) into all STF symbols. As phase shifts 
do not change the power and correlation properties of the STF, 
it can still be used for AGC and packet detection. Additionally, 
the periodicity required for CFO correction is preserved. 

Per WiFi frame, we insert one phase shift. Depending on 
the number of bits we intend to encode, we vary the number of 
possible phase shift values mapped to bits using Gray coding. 
To extract the covert channel information, the receiver needs 
to compensate the channel effects in the STF using the FTF 
channel estimation. 

Then, Ac/) can be extracted and demapped to bits. In 
Figure 4b, we illustrate this process with 32 possible phase 
shifts (32-PSK illustrated by black dots). The red circles mark 
the original STF symbol positions, and the cloud of blue dots 
are the received STF symbols from which we extract the phase 
difference to the original symbol positions. 

2 } Performance: Assuming we transmit WiFi frames with 
STF phase shift keying (PSK) covert data over AWGN chan¬ 
nels without fading, we can reach the BERs illustrated in 
Figure 5. The more bits we encode in the STF, the smaller the 
distance between the phase steps. This results in an increased 
BER. For a typical 25 dB SNR, 6 covert bits per STF can be 
hidden with less than 0.1% covert channel BER. 

To evaluate the STF PSK performance in fading channels, 
we perform simulations with channel models B, D, and E with 
a fixed SNR of 25 dB introduced by AWGN. In Figure 6a, we 
illustrate the results from 32-PSK (5 bits/symbol) to 256-PSK 
(8 bits/symbol). We observe that transmissions up to 64-PSK 
modulation are always error free, while higher modulation 
orders result in more bit errors, especially when the effects 
of fading increase. In our lab, we measure that all modulation 
orders up to 128-PSK have low median error rates as illustrated 
in Figure 6b. We conclude that one can transfer roughly 6 to 
7 bits per frame with very low BER. 

The achievable throughput of the covert channel strongly 
depends on the number of WiFi frames transmitted per second. 
For this scheme, short frames such as ACK and CTS (both 
14 bytes long and sent at least at 36 Mbit/s) are ideal, since 
one 4/rs long OFDM-symbol sequence holds the complete 
MAC layer payload. Note that increasing frame rates without 
a plausible reason might help Wendy to detect information 
exchanges. Combined with STF (4 /rs), FTF (8 ps) and signal 
field (4/is), the complete frame is 16/rs long; resulting in a 
gross frame rate of 62,500 frames/s. Using 64-PSK the STF 
PSK covert channel achieves a gross bitrate of 375 kbit/s. 

3) Detection: Layer 1. A physical layer detector needs 
to perform the same steps as the covert channel receiver men¬ 
tioned above. Those steps are not accomplished in regular WiFi 
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Fig. 4; STF PSK symbols are shifted by Af to encode bits. 
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Fig. 5; Raw BER of the covert channel implemented as STF 
PSK scheme over an AWGN channel for different amounts of 
bits per frame. 
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(a) Simulation with 24 Mbps WiFi frames (SNR = 25dB). 


W 

60% 

m 

50% 

13 

c 

40% 

re 

30% 

U 

20% 

> 

o 

10% 

U 

0% 


(b) 


2 4 8 16 32 64 128 256 512 1024 

PSK Modulation Order 

WARP-to-WARP measurement with 54 Mbps WiFi frames. 
Fig. 6; BER of the STF PSK covert channel. 


receivers and require a custom SDR-based implementation or 
a spectrum/signal analyzer. To lower the detection probability, 
a transmitter can map bits only to small phase changes, which 
results in reduced covert channel throughput. As the secret 
information is already transmitted before it can be detected, a 
wireless jammer cannot be used to block the covert channel 
transmission without destroying every WiFi frame. 

Layer 2. As mentioned above, a phase shift in the STF 
does not influence the functionality of the STF at the receiver. 
To verify this, we compared BERs of received WiFi frames 
with and without covert channel and were not able to dis¬ 
tinguish between them. Neither in simulation, nor in practice 
when receiving with a WARP or off-the-shelf WiFi card. 














B. Carrier Frequency Offset with Frequency Shift Keying 
(CFO FSK) 

A WiFi baseband signal is upconverted to the carrier fre¬ 
quency /c with /c,tx ~ fc and downconverted using 
(see Figure 7). Their difference results in CFO, which needs to 
be corrected, together with additional CFO due to the Doppler 
effect. WiFi receivers are capable of correcting CFOs by 
tracking the pilots that are inserted into each OFDM symbol. 
We introduce an artificial fcpo at the transmitter as covert 
channel. Regular WiFi receivers silently correct fcFO, while 
covert channel receivers can extract the hidden information. 
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Fig. 10; CFO FSK covert channel simulation with 24 Mbps 
WiFi frames (SNR = 25dB). 


1) Implementation: To encode bits, the transmitter maps 
them to the two frequencies ±Acfo, each with a symbol length 
of an OFDM symbol (4 /rs). The resulting complex waveform 
is multiplied with the time-domain signal of the WiFi frames 
in the baseband. This shifts each OFDM symbol by ±Acfo 
in the frequency-domain, depending on the encoded bit. 

A covert channel receiver estimates the phase shifts of 
the pilot symbols for each OFDM symbol, as illustrated in 
Figure 8. The covert CFO changes are superimposed by an 
additional slowly varying CFO. To extract bits despite further 
CFO components, the receiver first lowpass filters the CFO 
estimate and uses it as a threshold for a hard decision decoder. 
The six outer bits on both sides are discarded as they contain 
many bit errors. The lowpass filter is implemented as 20-tap 
finite impulse response (FIR) filter, which requires at least 60 
OFDM symbols to work correctly. 
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(a) Simulation with 24 Mbps WiFi frames (SNR = 25dB). 

35% 

30% 

S 25% 

“ 20 % 

I 15% 

I 10% 

5% 

0% 

WARP raw BER WARP eff. BER WiFi eff. BER 


_ _ ^ * 


-u _ ^ 


2 ) Performance: In the simulations we add a fixed 50 kHz 
CFO for both AWGN and fading channels as well as a 15 Hz 
maximum Doppler spread for the fading channels B, D, and E, 
representing environmental movement. The resulting AWGN 
covert rates for different Acpo values in Figure 9 show that 
stronger CFO changes enhance the covert channel. As illus¬ 
trated in Figure 10, stronger multipath effects lead to higher 
covert BERs. Especially in the model E, a Acpo of more than 
10 kHz is required to keep the BERs low. In WARP-to-WARP 
measurements with 54 Mbps WiPi frames, for Acpo=lkHz, 
the average covert BER is 15%—for Acpo >5 kHz no errors 
occur, which is comparable to the AWGN simulation results. 

The BERs of the WiEi frames in both simulation (Fig¬ 
ure 11a) and practice (Figure 11b) show that—up to 10 kHz 
Acpo— there is almost no increase in the BERs at the detector. 
To avoid detection, the lowest working Acpo should be chosen, 
which is 5 kHz in our lab. By encoding 1 bit per 4 ps OPDM 
symbol, the covert throughput is 250kbit/s. 


(b) WARP-to-WARP/Laptop 54 Mbps legitimate receiver. 

Pig. 11: CFO FSK BER at the legitimate receiver. 

3) Detection: Layer 1. Every WiPi receiver estimates and 
corrects CEOs. However, those measurements are normally 
directly discarded during signal processing. As shown in 
Figure 8, receivers capable of analyzing CFO changes over 
time can directly detect the binary pattern. Using lower Acpo 
values hardens detection but increases error probabilities on 
the covert channel. 

Layer 2. Our simulated and practical results in Figure 11 
show that large CFO changes drastically increase BERs in 
all channel models. However, in our setup 5 kHz Acpo is 
sufficient for covert transmissions without increasing errors 
in the WiPi frame reception. Purthermore, Acpo could slowly 
be increased to stealthily reach a working point to prevent 
detectable sudden BER changes. Hence, CEO frequency shift 
keying (PSK) can be undetectable on Layer 2, if configured 
carefully. 



Pig. 7: We introduce artificial CEO /cpo 
into each OPDM symbol in the baseband. 
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Pig. 8: Prequency offset measurement 
of each received OPDM symbol show¬ 
ing the binary shift keying modulation. 
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Pig. 9: Raw BER of the CPO FSK 
covert channel over AWGN channels 
with different Acpo- 
















C. Camouflage Subcarriers 

The camouflage subcarrier covert channel hides informa¬ 
tion in subcarriers used in other protocol variants. In 802.1 la/g, 
52 subcatriers are used for 48 data and 4 pilot transmis¬ 
sions, while 802.1 In utilizes 56 subcarriers in the same band. 
The additional 4 subcarriers can be utilized in 802.1 la/g 
transmissions as covert channel. At plain sight the spectra 
look like valid 802.1 In frames (as depicted in Figure 12). A 
regular 802.11a/g/n WiFi receiver does not sense the number 
of used subcarriers, but only checks the signal held at the 
beginning frame and continues decoding according to the 
802.1 la/g standard, simply ignoring camouflage subcarriers. 
Using additional subcarriers was proposed in [11], yet, without 
the constraint to mimic another protocol version. 

1) Implementation: We replace the 802.1 la/g LTF with 
the 802.1 In HT-LTF, which is still correlating with the LTF, 
thus allowing a proper timing synchronization at the receiver. 
Additionally, the covert receiver can estimate the channel 
effects of the camouflage subcarriers. 

2) Performance: When comparing Figure 13 to Figure 2, 
it is obvious that the covert subcarriers perform very similar 
to the normal subcarriers. Depending on channel effects and 
output filters, it might happen that the outer subcarriers have a 
slightly different performance, though. Covert subcarrier per¬ 
formance for different channel models is depicted in Figure 14. 
Assuming camouflage and normal subcarrier performance are 
similar, the covert channel performance is 8.3 % of the normal 
channel throughput. 

In our experiments, we vary the rate of the camouflage sub¬ 
carriers, while keeping the rate of the regular WiFi data fixed. 
Figure 14 compares simulation results of camouflage subcar¬ 
riers. Experimental results are not illustrated—the WARP-to- 
WARP channel in our lab is quite good and no errors occur 
in the camouflage subcarriers for all modulation orders. 

3) Detection: Layer 1. A Layer 1 detector that can decode 
the signal field is able to determine if the number of subcarriers 
within the signal is correct. However, only checking the 
spectrum will not reveal the covert channel, as it is still valid 
and conforms to the standard 802.1 In. 

Layer 2. A Layer 2 detector has insufficient information 
since neither normal subcarrier performance decreases nor 
interference with neighboring channels occurs. Even further 
subcarriers can be used to increase covert channel throughput 
as long as the neighboring channels do not overlap, but this 
could be easily detected on Layer 1. Our results show that 
adding camouflage subcarriers does neither increase BERs in 
simulation nor in practice. 

D. Cyclic Prefix Replacement 

Multipath effects and timing offsets during demodulation 
cause overlapping OEDM symbol parts, called inter-symbol in¬ 
terference (ISI). In 802.1 la/g, a cyclic prefix (CP) is prepended 
to symbols in order to reduce ISI. At reception, this CP is not 
decoded. Nevertheless, the CP might still be larger than the 
actual ISI and, hence, can be used as a covert channel. 

A simulation in [10] replaces the complete CP with 
covert symbols. This results in a normal channel with up 
to 54 Mbit/s according to 802.1 la/g and an additional covert 
channel achieving 13.5 Mbit/s, since the CP length is 1/4 of the 
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Pig. 12: Spectra of both regular 802.1 Ig frames and camou¬ 
flage subcatrier frames fit into 20 MHz WiPi channels. 




Pig. 13: Raw BER of the camouflage subcarriers over AWGN. 
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Pig. 14: BER of covert camouflage subcarriers in simulation 
with 24 Mbps WiPi frames (SNR = 25dB). 
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Fig. 15: CP replacement methods compared. 



Fig. 16: Raw BER of the Cyclic Prefix Replacement covert 
channel over AWGN channels. 





























normal symbol. The channel performs well as the simulations 
are limited to AWGN channels with neither fading nor ISI. 
Hence, the CP is not required at all. In practice, we could not 
reproduce such optimistic results. 

1) Implementation: There are basically two ways of em¬ 
bedding data in the CP. In the first approach, four CPs are 
combined to obtain a symbol of regular length. In a practical 
channel instead of the AWGN channel proposed in [10], 
fading effects disturb samples near to concatenation points. 
A solution is shown in Figure 15 a, where the covert symbols 
are distributed to multiple CPs with some overlapping samples. 
First simulation results, however, show that more concatena¬ 
tions lead to more disturbances (e.g. due to the Doppler effect) 
making this approach impractical. 

The second approach decreases the Fast Fourier Transform 
(FFT) size to a maximum of the actual CP length, automat¬ 
ically leading to less subcarriers as depicted in Figure 15b. 
Even though only 1/4 of the subcarriers are used in a 16- 
point FFT compared to the normal symbol’s 64-point FFT, 
12 symbols are usable by replacing the full CP. Using four 
CPs, 48 symbols can be used for data transmission—analogous 
to the first approach. To reduce the ISI with regular OFDM 
symbols, the covert channel FFT size can be reduced to 8, 
4, or 2 at the cost of covert throughput. Prepending a CP to 
the covert channel in the CP (called CPCP) even removes ISI 
inside the covert channel. In our experiments, we add a CPCP 
of 2 samples to the 1/2 CP replacement scheme. 

2) Performance: The performance of the CP replacement 
covert channel is very high. Figure 16 compares BERs for 
different CP replacement strategies in an AWGN channel. Re¬ 
placing shorter parts of the CP results in more errors. Adding a 
CPCP does not help in an AWGN channel because the channel 
does not introduce ISI. In contrast, in the multipath channel 
simulations illustrated in Eigure 17a, the CPCP significantly 
decreases the covert channel BERs. In our lab environment, 
the CPCP is required and very effective: it reduces the BER to 
0% as shown in Figure 17b. Depending on the actual amount 
of multipath effects, a higher CPCP length is reasonable. 

Throughput of full CP replacement is 25 % of the cor¬ 
responding WiFi frame throughput, if multipath effects are 
neglected. For 1/2 CP replacement, the maximum throughput 
is reduced to 12.5% of the WiFi frame throughput. Hence, 
even with the CPCP improvement for less transmission errors, 
this covert channel has good performance. 

3) Detection: Layer 1. A physical layer detector can 
compare the last 16 samples of an OFDM symbol with its 
cyclic prefix, which should be similar except for ISI damage. 

Replacing parts of the original CP slightly increases out-of- 
band emissions that might be visible in a spectrum analyzer— 
but they are still within the spectral mask (see Figure 19). 

Layer 2. Since the CP is removed before further processing 
on Layer 2, the only visible effect is an increased BER in rich 
multipath environments. A Layer 2 detector cannot measure 
the actual channel coefficients and thus, cannot distinguish 
whether a high BER is caused by a covert channel or not. 

As expected, in the multipath channels the legitimate BER 
significantly increases at complete CP replacement. However, 
we could not measure negative effects of 1/2 CP replacement 
for channel models B, and D, as our results in Eigure 18a 
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Fig. 18: BER of WiFi frames with CP replacement at legiti¬ 
mate receivers. 
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Fig. 19: The spectrum of CP Replacement frames has higher 
out-of-band transmissions than regular frames. 


show. In the practical measurements in Figure 18b, only a full 
CP replacement has a negative effect on bit errors, especially 
when using off-the-shelf NICs. Hence, attackers should replace 
less than 1/2 CP in typical environments to avoid detection. 























V. Evaluation and Discussion 

Next, we compare results and discuss the pros and cons of 
the investigated covert channels, summarized in Table I. 

All covert channels introduced in this paper can be com¬ 
bined. Since they modify different parts of OFDM symbols, 
the overall performance when enabling all covert channels at 
once is their cumulative performance. This comes at the cost 
of an increased detectability, see subsection V-B on how to 
lower detectability. If detected, Wendy either tries to decode 
the covert channel or to block it, for example, using a wireless 
firewall such as WiFire [21]. The STF PSK covert channel is 
special, because even in case of detection it cannot be blocked. 

A. Covert Channel Performance 

A fair comparison of the covert channels is demanding, 
since they behave differently depending on the channel models, 
legitimate traffic, etc. The simulated AWGN channel is overly 
optimistic compared to our lab setup, while channel model B is 
rather similar to our lab setup and yields comparable perfor¬ 
mance for the covert channels. Hence, we present empirical 
results for our lab measurements with a raw BER of 0.1%, 
which can easily be corrected with basic coding schemes. 
Simulated channels D and E include effects not observable 
in our lab, hence yielding significantly harsher conditions for 
both covert and legitimate channel. 

Some covert channel rates are frame-based while others 
are symbol-based. Depending on this, either the maximum 
or minimum frame size is optimal to increase performance. 
The minimum frame size is 14 bytes for clear to send (CTS) 
and ACK frames. Data frames can have a maximum frame 
size of up to 2338 bytes, assuming an unencrypted 802.1 la/g 
data frame consisting of a MAC header (typically 30 bytes), a 
MAC service data unit (MSDU) (0-2304 bytes), and a ECS (4 
bytes) [20]. Delays between frames depend on contention in 
the MAC layer and on frame types, hence we omit them in our 
exemplary calculation in Table I—as they are omitted when 
claiming an 802.1 la/g maximum gross data rate of 54Mbit/s. 
Choosing minimum or maximum frame size on Layer 2 might 
be suspicious to attackers, thus this is only a reference for the 
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TABLE II: Detectability comparison: detectable (y), 
not detectable (n), detectability/performance trade-off (p). 


optimal case. For low detection probability, the covert channel 
should be embedded in everyday network traffic. 

B. Detection Probability 

Table II summarizes a comparison of the detectability of 
all the proposed covert channels. Detectability is subject to the 
choice of the covert channel parameters; configuring the covert 
channel for lower throughput can facilitate to evade detection. 

Layer 1. A Layer 1 detector might take a look at the 
spectrum and IQ constellation diagrams with a spectrum/signal 
analyzer. In case the Layer 1 detector must compare properties 
in the time domain, a SDR supported analysis is optimal. 

In the spectrum, CP replacement is visible since it intro¬ 
duces distortions into the CP, which violate a smooth signal 
continuation in it. camouflage subcarriers can be detected, but 
since their spectrum is valid for 802.1 In, the signal field has 
to be decoded to identify the frame type. 

When analyzing IQ constellations per symbol, all covert 
channels can be detected. However, camouflage subcarriers can 
only be identified as such if the signal field is decoded and 
checked. CP replacement is visible in the symbols after cutting 
off the CP, when Wendy is in a multipath-rich environment. 
Detection probability for STF PSK and CFO FSK can be 
lowered by reducing A<?, respectively ACFO. 

Layer 2 A Layer 2 detector can only see an increasing 
BER: if the covert channel is switched on and off immediately, 
BER changes are visible on Layer 2. Hence, STF PSK and 
camouflage subcarriers, which do not increase the normal 
channel BER, are not detectable on Layer 2. To reduce the 
detection probability of CFO FSK, reducing ACFO helps. 
Replacing shorter parts of the CP helps to diminish distortions 
in multipath-rich environments leading to lower overall BERs. 

VI. Related Work 

The idea of hiding information in wireless network traffic 
is not new. Most schemes are designed for the data link 
layer or higher, using reserved fields, time delays, or packet 
corruptions. An approach for transmitting data in corrupted 
frames was first proposed in [18]; cryptographic information 
identifying corrupted frames is exchanged in advance using 
Wired Equivalent Privacy (WEP) cipher initialization vectors 
(IVs) and MAC addresses. WEP IVs are implemented in [8], 
but without making covert data match the same probability 
distribution as IVs. In [16], reserved fields are proposed for 
802.15.4 covert channels. An 802.11 MAC layer analysis 
on campus traffic in [12] evaluated utilizable fields due to 
randomness and high occurrence, proposing the Frame Control 


Covert Channel 

Section 

Conclusion 

STF PSK 

Sec. IV-A 

Introduces phase shift to STF; immune to reactive jamming; no influence on WiFi BER; 1 PSK symbol per frame; max. 
covert rate 375 kBit/s for 64-PSK 

CFO FSK 

Sec. IV-B 

Introduces artificial CFO; tunable for no influence on Wifi BER; 1 bit per OFDM symbol; max. covert rate 250 kBit/s for 

5 kHz FSK 

Camouflage 

Subcarriers 

Sec. IV-C 

Uses four additional subcarriers from 802.1 In; no influence on WiFi BER; 4 QAM symbols per OFDM symbol; max. covert 
rate 4.5 Mbit/s for 54 Mbit/s WiFi frames. 

Cyclic Prefix 
Replacement 

Sec. IV-D 

(Partial) replacement of the cyclic prefix; no influence on WiFi BER in line-of-sight channels, but affected by multiplath 
effects; 12 (full CP rep.)/6 (half CP rep.) QAM symbols per OFDM symbol; max. covert rate 6.75 Mbit/s for 1/2 CP with 
CPCP 


TABLE I: Summary of the analyzed covert channels. The exemplary performance values use our lab setup. Covert and 
legitimate channel have a median raw BER of below 0.1% and use optimal settings for the covert channel. 
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Field (FCF) More Frag, Retry, PwrMgt, More Data as well as 
the 802.11 header fields Duration/ID and FCS. In [13], timings 
of Retry bits indicating retransmissions are used to encode 
information. Hiding wireless access points by swapping fields 
with an Atheros and madwifi-ng is realized in [5]. 

Wireless physical layer covert channels are rare, but they 
are more generic. Hence, related work in this area is not 
only on 802.llg but on OFDM based systems in general. In 
[II], the usage of additional subcarriers in LTE and WiMAX 
is evaluated in simulation. The model assumes that covert 
sender and normal sender are different identities, therefore 
their timing offset impacts subcarrier orthogonality. 802.1 In 
physical layer steganography using the CP is proposed in [10]. 
In a simple AWGN based simulation, they archive a data rate 
as high as 1/4 of the normal channel without degradation. 

To the best of our knowledge, there is only one wireless 
physical layer covert channel that was put into practice; dirty 
IQ constellations for 802.1 la/g [6]. The authors define four 
IQ constellations in addition to the four raw QPSK points. 
This way, they can reach up to the same covert throughput 
as normal throughput. To circumvent detection, they modified 
constellations to use a Gaussian distribution, and compared 
them to regular noisy signals. However, when we tried to 
reproduce their results including the obfuscation mechanism, 
we had to cope with a high amount of bit errors, especially in 
more complex channel models. 

A related topic to covert channels is watermarking of 
signals, allowing for identification and authorization on a phys¬ 
ical layer basis. For this, an authentication tag is embedded. 
In [19], cognitive radio primary users add phase noise to 
QPSK symbols to authenticate themselves while maintaining 
backward compatibility to secondary users who are not aware 
of this scheme. A similar scheme for a non-return-to-zero 
encoding is proposed in [14] by embedding authentication tags 
in redundant information reducing ISI. A fingerprint can also 
be added to the channel state before sending, assuming only 
small channel changes between transmissions, users knowing 
the previous channel state can extract the fingerprint [9]. The 
QPSK scheme is secured against user emulation attacks in 
[4] by adapting the phase distortion to the current SNR. 
However, all these schemes were only verified in simulations. 
A practical implementation adding further IQ constellations as 
in [6] without Gaussian distribution is shown in [22]. 

VII. Conclusion 

In this paper, we show that physical layer WiFi covert 
channels are feasible in practice. We design novel covert 
channels and improve known ones. Our work is—to the best of 
our knowledge—the first one to characterize various OFDM- 
based covert channels in practical settings. Based on our 
results, we discuss pros and cons of the covert channels with 
respect to their performance as well as their detectability. With 
this, we provide a first compendium for practical physical layer 
WiFi covert channels, which facilitates the understanding of 
this potential attack vector. 
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